CVE-2025-14847 (MongoBleed) - Request for Percona 4.4.30 Security Patch
Hey everyone,
I’m in a bit of a tough spot and hoping someone from Percona can weigh in.
We’re running Percona Server for MongoDB 4.4.23-22 in production on Kubernetes, and just found out about CVE-2025-14847 (the MongoBleed vulnerability). From what I understand, MongoDB released 4.4.30 to patch it, but Percona stopped at 4.4.29-28 back in April when 4.4 went EOL.
I know 4.4 is end-of-life and normally I’d just upgrade, but we’re not in a position to jump to 5.0 right now. We’ve got seven MongoDB instances exposed on public IPs (yeah, I know…), and upgrading to 5.0 means at least a week or two of testing and coordination. With this CVE being actively exploited and having a public proof-of-concept, I’m getting a lot of pressure from management to fix this quickly.
For now, I’ve disabled zlib compression on all our clusters as a workaround, which should mitigate the risk. But I’d feel a lot better with an actual patched version.
Is there any possibility Percona could release a 4.4.30 with just the security fix? I understand this is an EOL version and you probably have policies around that, but given how critical this vulnerability is (CVSS 8.7, active exploitation in the wild), I thought it might be worth asking.
Our setup:
- Percona Server for MongoDB 4.4.23-22
- Running on GKE with Percona Operator 1.14.0
- Multiple clusters with public LoadBalancer services (needed for our architecture)
- About 87,000 potentially vulnerable instances globally according to the security reports
I’ve already started planning the upgrade to 5.0, so we’ll get there eventually. Just wondering if there’s any way to get a band-aid fix in the meantime.
Thanks for any guidance you can provide!
---
## Even More Casual Version (if you prefer):
### Title:
MongoBleed (CVE-2025-14847) hitting us hard - still stuck on 4.4
Hi @Marwan_Ghoniem - welcome to our Community. As the Product Manager for Percona Server for MongoDB, I want to thank you for reaching out. I understand the pressure you’re under, especially with internet-exposed instances.
While we recognize the severity of CVE-2025-14847 (MongoBleed), we’re still evaluating the feasibility of building and releasing EOLed 4.4 version of Percona Server for MongoDB. I’ll get back to you about that this week.
You also mentioned your plans to upgrade to 5.0 → this version is also EOL and we currently don’t have a PSMDB build for that. Do you consider upgrading higher to 6.0 that contains a fix?
Additionally, because MongoBleed allows attackers to read uninitialized heap memory, assume that sensitive data (like credentials or session tokens) may have already been leaked if your instances were exposed before you disabled zlib. Consider rotating your database credentials in a staged manner once the environment is secure.
What we can also do is to push the fix to the 4.4 branch and you can build from sources if that’s feasible to you. What do you think?
Hi @radoslaw.szulgo - thanks so much for the quick response and for considering both options!
I really appreciate the offer to push the fix to the 4.4 branch, but building from source for our production environment isn’t really feasible right now. We don’t have the build infrastructure or the expertise to maintain custom-compiled binaries at scale, and I’d be concerned about long-term supportability.
Given that 5.0 is also EOL as you mentioned, I think upgrading to 6.0 makes the most sense for us. A few quick questions to help me plan:
- What’s the current stable version of Percona Server for MongoDB 6.0 that includes the CVE fix?
- What’s the supported upgrade path from 4.4.23-22 to 6.0? Can we go directly, or do we need to go 4.4 → 5.0 → 6.0?
- We’re running Percona Operator 1.14.0 - what operator version supports both 4.4 and 6.0 for a smooth migration?
- Should we consider jumping to 7.0 instead for longer support?
We have zlib disabled on all clusters right now, so we’re mitigated for the moment. I’ll start putting together an upgrade plan this week.
Thanks again for the quick turnaround and guidance!